We can’t do zero trust yet
“What is zero trust architecture, and why does it matter? Quite frankly, it’s not something that anyone can do yet, and in fact, I would say 2024 is the earliest we can really expect to see it at a production level.”
These are the words of Ian Farquahar, field CTO at Gigamon Australia, during his opening keynote at the ITWeb Security Summit being held in Johannesburg this week.
He says zero trust is a journey everyone will need to go on because there aren’t a lot of other options. “I'm sick of installing yet another security product. What I want to do is improve my security, and I see zero trust is the most viable way of doing that.”
It’s not a product
Speaking of what zero trust really is, Farquhar stresses that it’s not a product.
“Anyone who comes to you and says we have a product that is zero trust – no, sorry. They've got a product that helps towards that goal. But it's not just a product. It's not a feature of an existing product. It's not something that you will add to a firewall. It is not a specific, defined architecture, there will be all sorts of architectures.”
I'm sick of installing yet another security product. What I want to do is improve my security, and I see zero trust is the most viable way of doing that.Ian Farquahar, field CTO at Gigamon Australia
He says it is also very different to what we're doing at the moment.
“As of May 2022, it is technologically incomplete. There are two US government pilots I am aware of, as every US government agency is moving to a zero trust architecture because they looked at their options and have concluded that zero trust architecture is the way of significantly improving their resilience against the type of attacks that are leveraged at US government agencies.”
The antithesis of zero trust
Looking back at the firewalls of yesterday, he says some actually had a trusted and an untrusted port, and everything on one side was completely trusted and everything on the other side was completely untrusted.
“This is the antithesis of zero trust, because it makes trust assumptions. That's just ridiculous – it’s the sort of trust assumptions that hackers and threat actors have been exploiting for years. Get a RAT onto the untrusted side of our network and it has full access because I don't do controls on my east-west network. Zero trust moves away from that.”
How zero trust changes the way we do trust, is that it’s non-binary, he explains.
“It's not trusted or untrusted, we evaluate the level of assurance. Trust becomes a function over time. Just because something is trusted at one point in time doesn't mean it remains trusted forever. Trust can increase, trust can decrease and it is subject to constant verification. It is also data-centric, but not exclusively. It assumes that your attacker is present in the environment, and it means no perimeters.”
According to Farquhar: “It's a challenge to the assumption we as network architects make. The Cambridge dictionary has the best definition of trust, which it says is to believe that someone is good and honest and will not harm you. In a zero trust context, to say that something will not harm you, means you are constantly assessing subjects, whether users, resources, systems, services or software, to assess whether they are likely to do you harm.”
Almost every principle of security architecture that architects have been building for years, is present in zero trust, he says. “The assumption of compromise, defence in depth, all of those things are fundamental to the tenets of zero trust.”
A very simple concept
The basic concept is very, very simple, he says.
“We have a resource, such as a computer and it is fundamentally untrusted. It wants to connect to a resource, a system, data, or an application, and it passes through a policy decision, policy enforcement point. Initially, it is untrusted until the policy decision point decides that it is allowable.”
He uses the analogy of passport control. “When you approach border control, you're untrusted. You provide border control with your passport, they scan your luggage, they do everything they need, and at that point, they decide whether they're going to let you through or not. And once they decide to let you through, you're in a secure zone. In zero trust terminology, that is called the implicit trust so they have decided you are now trustable and you can access the resource.”
However for zero trust, this is done for every connection, every time. "Every time you do a new connection, they re-evaluate whether you get to do it again. That's the concept of zero trust.”
No more implicit trust
Speaking of the tenets of zero trust, Farquhar says don’t assume the position of a system on the network means that it's trusted or not; always be looking at every single system, every single user, every single device on your network, and assess their trust.
“We stop implicitly trusting people just because they can provide a password. We understand that people can change over time, that they can be leveraged, that they could be blackmailed or bribed. We look for atypical activity and we decide whether we let things through.”
Attackers get in by using our assumptions against us.
Farquar says zero trust is not so much an architecture as it is a philosophy. “The philosophy is getting rid of, and driving out the trust assumptions we used to make. Firewalls didn't have the ability to do content inspection and carry out sophisticated trust decisions. Until fairly recently, therefore, we had to make trust assumptions. The whole idea of zero trust is to say we can't make these assumptions anymore. Attackers get in by using our assumptions against us.”
He says we need to assess the traceability of everything –users, subjects, resources.“We need to look at the controls we use, and assess the traceability of absolutely everything, and measure traceability using a particular control, and we need to assess the traceability of that control as well. We need to change our thinking, and have no more implicit trust assumptions, even the ones we don't know we're making. Take logging, for example. Everyone loves it, it’s a core, fundamental technology of security. But if I trust telemetry coming from inside a compromised device, the attacker has compromised the telemetry, so why would I do that? It's not logical.”